Information Assurance: Critical Security Controls at Consulting Firm X

Verified

Added on 2023/01/13

AI Summary

This report presents a case study on information assurance awareness, focusing on Consulting Firm X and its IT personnel. The study explores the value of information assurance programs in protecting critical business processes, emphasizing the confidentiality, integrity, and availability of information. It identifies factors crucial for developing an effective information assurance awareness program, including protection of company assets, security activities direction, information classification, and various security controls. The report further highlights the importance of a security awareness program for employees, underscoring its role in reducing cyber threats, ensuring compliance, and protecting sensitive client information. It emphasizes the human factor as a significant vulnerability and the program's role in mitigating risks and improving overall information security.

Running head: INFORMATION ASSURANCE AWARENESS
A case study for the Twenty Critical Security Controls at Consulting Firm X for IT
Personnel
Name of the Student
Name of the University
Author’s Note:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

2
INFORMATION ASSURANCE AWARENESS
Table of Contents
Question 1..................................................................................................................................3
Question 2..................................................................................................................................5
Question 3..................................................................................................................................7
References..................................................................................................................................9

3
INFORMATION ASSURANCE AWARENESS
Question 1
Value of Having an Information Assurance Program in an Organization
An information assurance program refers to the proper designing as well as
implementing of security policies for the core purpose of protecting the major IT assets and
critical business procedures (Von Solms & Van Niekerk, 2013). The information security
program even is helpful for defining the processes and policies to effectively assess the major
risks or threats and also for monitoring the threats and then mitigating the attacks. Firm X
supports a larger number of confidential US government projects like hosting or developing
the applications and portals as the part of their work. For the several types of cyber attacks,
Firm X has decided to maintain a high level of information assurance program for the
implementation of security controls (Dittmer, 2014). Building of an information assurance
program refers to designing and implementing the security practices for protecting business
processes.
The major value to have an information assurance program within any specific
organization is that it helps in protecting the CIA or confidentiality, integrity and availability
of information. The consequences of the failure to secure these above mentioned pillars of
information security can eventually lead to the subsequent loss of business, loss of reputation
and regulatory fines (Crossler et al., 2013). The application of appropriate physical, technical
and administrative safeguards with the help of an information assurance program could help
to secure the confidentiality, integrity and availability of the critical assets in the respective
organization. Regarding the confidentiality factor, it is quite vital to make sure that
confidential information does not end up in wrong intentions. For maintenance of this factor,
an access should be restricted to only authenticated and authorized individuals. Few
significant methodologies in this factor involve strong passwords, unique user IDs, two factor

4
INFORMATION ASSURANCE AWARENESS
authentication and encryption. For maintenance of integrity factor in the sensitive data, the
authenticity and accuracy should be maintained (Peltier, 2013). It refers to the fact that the
sensitive data should be secured from any type of intentional as well as accidental changes,
which can taint the data. The access controls and file permissions are the best methods to
maintain integrity. The third factor of availability can be maintained by ensuring that critical
assets, information and services are available to the customers whenever required. This does
not apply to the destroyed and lost data, however when access is being delayed. The
information assurance program is also helpful for developing a disaster recovery plan and
also performing regular backups.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

5
INFORMATION ASSURANCE AWARENESS
Question 2
Factors for Considering the Development of Information Assurance Awareness Program
The proper development of an information assurance awareness program is solely
dependent on some of the major factors and these factors are required to be considered while
developing the information assurance awareness program within any specific organization
(Siponen, Mahmood & Pahnila, 2014). After analysing the case study of Firm X, it is being
observed that these significant factors can also provide high security to the organizational
data and resources. There are twenty critical security controls in this type of program and
these include inventory of unauthorized and authorized hardware devices, inventory of
unauthorized and authorized software, continuous vulnerability assessment as well as
remediation, malware defences, application software security, wireless access controls, data
recovery capabilities, security skill assessment, securing configurations for network devices
like routers, switches and firewalls, limitation or control of the network ports, controlled
utilization of administrative privilege, boundary defences and many more (Peltier, 2016).
The major factors that are required to be considered while developing this type of
information assurance awareness program are as follows:
i) Protection of Company Assets: This is the most important factor that should be
considered while developing this program.
ii) Providing Direction to the Security Activities: The security activities should be
evaluated and executed with proper efficiency and effectiveness by framing the information
security policies, processes, guidelines and standards.
iii) Information Classification: The relevant information should be classified
accordingly and hence maintaining a proper balance of the entire organizational database.

6
INFORMATION ASSURANCE AWARENESS
iv) Security Organization: The entire sector for the organizational information, data
as well as other resources should be properly organized for ensuring that irrelevant and
redundant data are being avoided (Xu et al., 2014).
v) Various Controls: The next important factor that is to be considered while
developing an information assurance awareness program is the presence of various controls
like administrative, technical or logical and finally physical controls.

7
INFORMATION ASSURANCE AWARENESS
Question 3
Importance of having a Security Awareness Program for Employees in an Organization
A security awareness program is extremely important and significant for the
employees or staff within any specific organization. This type of program ensures that all the
organizational members are following security steps and are aware of the importance of
information and data security majorly. One of the major and noteworthy reasons for
introducing this particular security awareness program in the organization would be that the
organization will not be compliant with the law that they do not want to remain (Safa, Von
Solms & Furnell, 2016). The cyber attacks or threats are majorly reduced when this type of
security awareness program will be introduced in the company. The concepts of cyber
security should be clear for each and every staff in the company and thus they would be able
to handle the sensitive information of the clients effectively and efficiently.
Security awareness program even helps to make the individuals aware of the probable
risks to those things that they value the most within their company and the process to protect
against these significant risks. However, the biggest threat to any type of information asset
and system is the human factor and by raising an information security awareness program,
there can be a major improvement in the information security (Von Solms & Van Niekerk,
2013). A good information security awareness program is the critical component of all
organizations and it comprises of a comprehensive set of information security processes and
policies that help to store the personally identifiable information or PII as well as any other
proprietary information with a major holistic approach to safeguard and secure the
information. The operational controls, technical controls and management controls are highly
impacted with this type of security program and thus it is extremely vital to keep this training
program for employees in every organization.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

8
INFORMATION ASSURANCE AWARENESS

9
INFORMATION ASSURANCE AWARENESS
References
Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R.
(2013). Future directions for behavioral information security research. computers &
security, 32, 90-101.
Dittmer, J. (2014). Implementing an Information Assurance Awareness Program: A case
study for the Twenty Critical Security Controls at Consulting Firm X for IT
Personnel. Accessed from
https://www.sans.org/reading-room/whitepapers/bestprac/implementing-information-
assurance-awareness-program-case-study-twenty-critical-security-controls-
consulting-firm-personnel-35322 [Accessed on 05 Apr. 2019].
Peltier, T. R. (2013). Information security fundamentals. CRC press.
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines
for effective information security management. Auerbach Publications.
Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance
model in organizations. Computers & Security, 56, 70-82.
Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information
security policies: An exploratory field study. Information & management, 51(2), 217-
224.
Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber
security. computers & security, 38, 97-102.
Xu, L., Jiang, C., Wang, J., Yuan, J., & Ren, Y. (2014). Information security in big data:
privacy and data mining. Ieee Access, 2, 1149-1176.